A recent report from Cloudflare has once again brought to light a problem that persists despite years of warnings: password reuse. Between September and November 2024, 41% of successful logins detected on websites protected by this platform were made using credentials previously exposed in data breaches.
This data not only reveals a lack of awareness among users but also the growing sophistication of automated attacks that exploit these bad practices.
The Silent Threat: Bots and Mass Attacks
The study highlights that 95% of access attempts using leaked passwords come from bots, which carry out mass attacks known as credential stuffing. These bots test stolen credentials across multiple services until they find valid combinations. The automation and scale of these attacks mean that any user who reuses a password is exposed within minutes.
Platforms like WordPress bear the brunt of these attacks due to their popularity and ease of identification. On WordPress-based sites, 76% of attempts using leaked passwords resulted in successful access, and nearly half were made by bots.
Passwords People Continue to Use (and Reuse)
The Cloudflare report not only outlines the magnitude of the issue but also highlights common patterns of poor practices. Among the most reused and compromised passwords are predictable and easy-to-guess combinations:
- 123456
- password
- qwerty
- 123456789
- 111111
- abc123
- iloveyou
- admin
- 123123
- welcome
These examples reflect what experts call “lazy passwords,” used by millions of people across multiple services and which are the first ones attackers try.
Why Does This Keep Happening?
Convenience and forgetfulness are behind most of these mistakes. Managing strong, unique passwords for every service may seem challenging, but password management tools and passwordless authentication solutions (like passkeys) make this task significantly easier.
Additionally, although many users are aware of the risks, they often do not take action until they become victims of an attack. This inertia poses risks at both the individual and business levels.
The Solution: Education, Technology, and Prevention
To protect themselves, users should:
- Create unique and robust passwords for each account.
- Use password managers to avoid having to remember them.
- Always enable multi-factor authentication (MFA).
- Change compromised passwords as soon as they receive alerts.
For their part, companies should implement systems to detect leaked credentials, block mass attempts through rate limiting, and manage suspicious traffic with anti-bot tools. Additionally, they should educate their users and employees about good cybersecurity practices.
Cybersecurity Starts with a Password
The conclusion is clear: password reuse remains a gateway for automated attacks and account takeovers. Technology can put up barriers, but the first line of defense remains user awareness and a change in habits.
If 41% of accesses still use compromised passwords, it is evident that there is a long way to go. Ultimately, security starts with a simple act: choosing a good password and never reusing it.
Source: Security News